How the GDPR will disrupt Google and Facebook

Google and Facebook will be unable to use the personal data they hold for advertising purposes without user permission. This is an acute challenge because, contrary to what some commentators have assumed, they cannot use a “service-wide” opt-in for everything. Nor can they deny access to their services to users who refuse to opt-in to tracking.[1] Some parts of their businesses are likely to be disrupted more than others.

The GDPR Scale

When one uses Google or Facebook.com one willingly discloses personal data. These businesses have the right to process these data to provide their services when one asks them to. However, the application of the GDPR will prevent them from using these personal data for any further purpose unless the user permits. The GDPR applies the principle of “purpose limitation”, under which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.[2]

Google and Facebook cannot confront their users with broad, non-specific, consent requests that cover the entire breadth of their activities. Data protection regulators across the EU have made clear what they expect:

“A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”.[3]

A business cannot, for example, collect more data for a purpose than it needs and then retroactively ask to use those data for additional purposes.[4]

It will be necessary to ask for consent, or present an opt-out choice, at different times, and for different things. This creates varying levels of risk. We estimate these risks on the “GDPR scale”, shown below.

The scale ranges from zero to five. Five, at the high end of the scale, describes the circumstances that many adtech companies that have no direct relationship with Internet users will find themselves in. They need to get the consent of the people whose data they rely on. But they have no channel of communication through which they can do so.

Four, next highest on the scale, refers to companies that have direct relationships with users, and can use this to ask for consent. However, users have little incentive to “opt-in” to being tracked for advertising. Whereas a user might opt-in to some form of profiling that comes with tangible benefits, such as a loyalty scheme, the same user might not be willing to opt-in to more extensive profiling that yields no benefit. The extensiveness of the profiling is important because, as the note at the bottom of this page shows, users will be aware of the uses of their data when consent is sought. Thus adtech tracking across the web might rank as four, but a loyalty scheme might rank as three on the GDPR scale.

A slightly more attractive prospect, from Google and Facebook’s perspective, is to inform a user about what they want to do with the personal data, and give the user a chance to “opt-out” beforehand.[5] This is two on the scale. This opt-out approach has the benefit – from the company’s perspective – that some users’ inaction may allow their data to be used. The GDPR permits the opt-out approach when the purposes that the companies want to use the data for are “compatible” with the original purpose for which personal data were shared by users.[6] In addition to the opt-out notice, users also have to be told of their right to object at any time to the use of their data for direct marketing.[7]

One on the scale refers to activities that currently involve the processing of personal data, but that do not need to do so. With modification, these activities could be put beyond the scope of the Regulation.

Activities at the zero end of the scale are outside the scope of the Regulation, because they use no personal data.

Google

Our estimate of Google, when applied to this scale, shows a significant range of products at four on the scale, with the proviso that some part of that set of products can be modified, which would lower their score from four to one.Download PDF

All personalized[8] advertising on Google sites such as Search, Youtube, Maps, and the websites where Google provides advertising is scored four because it will require that users opt-in to extensive tracking.

If, however, users have already “signed in” to Google Search or Chrome, Google may argue that the purpose of these technologies is “compatible” with purposes users agreed to, and hope to use an opt-out rather than an opt-in. Whether this would be successful, however, remains to be seen.

“Customer Match”, which targets users and similar users based on personal data contributed by an advertisers.[16] A prospect would have had to give their consent to the advertiser for this to occur.

“Remarketing lists for search ads (RLSA)”, retargeting from site visitors by using Google Analytics, is likely to be prevented by the ePR.[20]

Gmail, the most popular e-mail service in the world, will also be affected. Google mines the content and metadata of each email message sent and received in Gmail to target advertising. This could not have continued under the GDPR and ePR without each sender and recipient giving their consent. Clearly, few would do so, and Gmail is at four on the scale. This may be the real reason, or at least a contributing reason, why Google has recently announced that it will stop mining people’s emails for ads.[21]

At two on the scale is “location targeting”,[22] and “location extensions”, technologies in Google Maps that enable advertising to target users based on geographical proximity. This score, however, is based on the assumption that advertising in map search results is accepted as a compatible purpose with the original purpose for which location data were shared by users.

Google’s AdWords product has the benefit that it can be modified to operate entirely outside the scope of the GDPR and ePR. This is why it appears at four on the scale, and at one. If Google discards personalized targeting features from AdWords, then it can continue to target advertisements to people based on what they search for.

Finally, at zero on the scale is Google’s “placement-targeted” advertisements.[23] These target only by the context of the pages they appear on, rather than by using personal data. Therefore they are out of scope of the GDPR.

Facebook

Significant parts of Facebook’s business are at two and four on the scale.Download PDF

The Facebook Audience Network is scored four because it requires the processing of personal data from Facebook users to target them on other websites. It is unlikely that this will be regarded as a compatible use. If it is, Facebook will have to convince users not to opt-out.

WhatsApp advertising is also scored four on the scale because it will be necessary for users to give their consent (an opt-in, rather than an opt-out) for their personal data on WhatsApp to be processed for purposes unrelated to WhatsApp functionality on Facebook properties other than WhatsApp.[24]

Farther down the scale, at two, is Facebook’s Newsfeed, which may be able to use an opt-out approach to get some users to permit the processing of these personal data.

However, the nature of the content in the Newsfeed may limit the range of data it can process. Any information that reveals a person’s race, ethnicity, political opinion, religious or philosophical beliefs, trade union membership, or are related to a person’s sex life or sexual orientation are in “special categories of data”. These cannot be used without explicit consent, or unless they have been “manifestly made public by the data subject”.[25] Facebook may not be able to mine some posts in the Newsfeed that are not marked “public” (or, perhaps, “friends of friends”[26]). It may even be that the determination of which posts are “special categories” of data, and which are not, may itself be processing that goes to far.

The use of personal data from Instagram for advertising on Instagram may accepted as a compatible purpose, and enable Instagram to use an opt-out notice rather than request an opt-in.

Access the GDPR/ePR repository

A repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.

Conclusion

Both Google and Facebook have direct relationships with their users, and have a well thought out design for their current privacy requests. However, they are not immune to disruption when the new regulations apply. Indeed, some parts of their businesses may be particularly susceptible to them. While they can process personal data necessary to provide services that their users request, using these data for any other purpose requires user-permission, or inaction, in the case of out-outs. The critical question for both businesses is whether users will click “yes”, when asked to consent.

PageFair Research

We are surveying sample industry-insiders’ insights into this question. Your shared insights may illuminate this issue. Please click the button below to take the survey.

Perimeter: the regulatory firewall for online media and adtech.

Notes

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1. See Recital 42’s reference to “without detriment”, Recital 43’s discussion of “freely given” consent, and Article 7(2) prohibition of conditionality. See also the UK Information Commissioner’s Office’s draft guidance on consent, 31 March 2017, p. 21, which clearly prohibits so-called “tracking walls”.

[4] The GDPR, Recital 32 notes that “When the processing has multiple purposes, consent should be given for all of them”. Recital 39 notes that “specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum”.

[10] According to Google, this is “based on their specific interests as they browse pages, apps, channels, videos, and content across YouTube and the Google Display Network as well as on YouTube search results”. See “About targeting your ads by audience interests”, Google AdWords Help, (URL:https://support.google.com/adwords/answer/2497941?hl=en).

[13] “AdWords looks at browsing activity on Display Network sites over the last 30 days, and uses this, along with its contextual engine, to understand the shared interests and characteristics of the people in your remarketing list.” “About similar audiences on the Display Network”, Google AdWords Help (URL: https://support.google.com/adwords/answer/2676774?hl=en).

Consent Notice Items

Businesses will have to provide the following information to internet users when seeking their consent.

Who is collecting the data, and how to contact them or their European representative.

What the personal information are being used for, and the legal basis of the data processing.

The “legitimate interest” of the user of the data (This refers to a legal basis that may be used by direct marketing companies).

With whom the data will be shared.

Whether the controller intends to transfer data to a third country, and if so has the European Commission deemed this country’s protections adequate or what alternative safeguards or rules are in place.

The duration of storage, or the criteria used to determine duration.

That the user has the right to request rectification to mistakes in this personal information.

That the user has the right to withdraw consent.

How the user can lodge a complaint with the supervisory authority.

What the consequences of not giving consent might be.

In cases of automated decision-making, including profiling, what the logic of this process is, and what the significance of the outcomes may be.